Windows Analysis Report
INVOICE_NO._29998172.exe

Overview

General Information

Sample Name: INVOICE_NO._29998172.exe
Analysis ID: 876157
MD5: 024997939b7ce9b28382176c0a70cec8
SHA1: 48ef66cbadfff627b81794aaab7db1a6413cb43b
SHA256: 13e98dcbf169f54503a15d9415b086222ae48f2e872c69c9417e56d29f610b85
Tags: exe
Infos:

Detection

AgentTesla, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

AV Detection
barindex
Found malware configuration
Source: 5.2.txQleCu.exe.4561c18.7.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.gimpex-imerys.com", "Username": "qclab@gimpex-imerys.com", "Password": "h45ZVRb6(IMF"}
Multi AV Scanner detection for submitted file
Source: INVOICE_NO._29998172.exe ReversingLabs: Detection: 25%
Source: INVOICE_NO._29998172.exe Virustotal: Detection: 34% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\txQleCu.exe ReversingLabs: Detection: 25%
Machine Learning detection for sample
Source: INVOICE_NO._29998172.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: /log.tmp
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: KL
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: KL
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <br>[
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: yyyy-MM-dd HH:mm:ss
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ]<br>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <br>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: PW
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Time:
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: MM/dd/yyyy HH:mm:ss
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <br>User Name:
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <br>Computer Name:
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <br>OSFullName:
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <br>CPU:
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <br>RAM:
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <br>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: IP Address:
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <br>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <hr>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: New
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: MM/dd/yyyy HH:mm:ss
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: /
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: IP Address:
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: _
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: /
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: /
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: false
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: false
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: false
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: false
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: false
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: false
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: false
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 20
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 20
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 1
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: false
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 587
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: false
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: mail.gimpex-imerys.com
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: qclab@gimpex-imerys.com
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: h45ZVRb6(IMF
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: obtxxxtf@gmail.com
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: false
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: false
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: appdata
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: hOTAU
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: hOTAU.exe
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: hOTAU
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Type
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: :
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: :
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <br>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <hr>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <br>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <b>[
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ]</b> (
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: )<br>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {BACK}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {ALT+TAB}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {ALT+F4}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {TAB}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {ESC}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {Win}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {CAPSLOCK}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {KEYUP}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {KEYDOWN}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {KEYLEFT}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {KEYRIGHT}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {DEL}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {END}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {HOME}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {Insert}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {NumLock}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {PageDown}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {PageUp}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {ENTER}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {F1}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {F2}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {F3}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {F4}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {F5}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {F6}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {F7}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {F8}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {F9}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {F10}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {F11}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {F12}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor:
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: control
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {CTRL}
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: &
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: &amp;
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: &lt;
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: >
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: &gt;
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: "
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: &quot;
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <br><hr>Copied Text: <br>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <hr>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: logins
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: IE/Edge
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Windows Secure Note
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Windows Web Password Credential
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Windows Credential Picker Protector
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Web Credentials
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Windows Credentials
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Windows Domain Certificate Credential
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Windows Domain Password Credential
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Windows Extended Credential
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 00000000-0000-0000-0000-000000000000
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SchemaId
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: pResourceElement
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: pIdentityElement
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: pPackageSid
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: pAuthenticatorElement
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: IE/Edge
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: UC Browser
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: UCBrowser\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: *
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Login Data
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: journal
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: wow_logins
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Safari for Windows
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <array>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <dict>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <string>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: </string>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <string>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: </string>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <data>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: </data>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: -convert xml1 -s -o "
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \fixed_keychain.xml"
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: "
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: "
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Microsoft\Credentials\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Microsoft\Credentials\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Microsoft\Credentials\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Microsoft\Credentials\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Microsoft\Protect\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: credential
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: QQ Browser
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Tencent\QQBrowser\User Data
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Default\EncryptedStorage
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Profile
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \EncryptedStorage
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: entries
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: category
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: str3
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: str2
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: blob0
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: password_value
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: IncrediMail
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: PopPassword
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SmtpPassword
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Software\IncrediMail\Identities\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Accounts_New
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: PopPassword
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SmtpPassword
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SmtpServer
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: EmailAddress
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Eudora
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: current
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Settings
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SavePasswordText
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Settings
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ReturnAddress
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: -
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Falkon Browser
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \falkon\profiles\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: profiles.ini
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: profiles.ini
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \browsedata.db
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: autofill
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ClawsMail
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Claws-mail
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \clawsrc
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \clawsrc
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: passkey0
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: master_passphrase_salt=(.+)
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \accountrc
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: smtp_server
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: address
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: account
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: [
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor:
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ]
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \passwordstorerc
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: {(.*),(.*)}(.*)
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Flock Browser
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: APPDATA
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Flock\Browser\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: signons3.txt
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ---
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: .
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ---
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: DynDns
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ALLUSERSPROFILE
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Dyn\Updater\config.dyndns
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: username=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: password=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: https://account.dyn.com/
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: t6KzXhCh
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ALLUSERSPROFILE
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Dyn\Updater\daemon.cfg
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: global
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: accounts
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: account.
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: username
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: account.
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Psi/Psi+
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: name
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: jid
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: jid
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Psi/Psi+
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: APPDATA
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Psi\profiles
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: APPDATA
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Psi+\profiles
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \accounts.xml
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \accounts.xml
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: OpenVPN
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Software\OpenVPN-GUI\configs
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Software\OpenVPN-GUI\configs
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Software\OpenVPN-GUI\configs\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: username
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: auth-data
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: entropy
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: USERPROFILE
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \OpenVPN\config\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: remote
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: remote
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: NordVPN
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: NordVPN
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: NordVpn.exe*
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: user.config
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: //setting[@name='Username']/value
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: //setting[@name='Password']/value
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: NordVPN
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: -
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Private Internet Access
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: %ProgramW6432%
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Private Internet Access\data
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ProgramFiles(x86)
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Private Internet Access\data
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \account.json
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: .*"username":"(.*?)"
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: .*"password":"(.*?)"
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Private Internet Access
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: privateinternetaccess.com
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: FileZilla
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: APPDATA
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \FileZilla\recentservers.xml
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: APPDATA
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \FileZilla\recentservers.xml
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <Server>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <Host>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <Host>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: </Host>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: :
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <Port>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: </Port>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <User>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <User>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: </User>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <Pass encoding="base64">
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <Pass encoding="base64">
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: </Pass>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <Pass>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <Pass encoding="base64">
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: </Pass>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: CoreFTP
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: PW
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: User
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Host
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Port
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: hdfzpysvpzimorhk
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: WinSCP
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: HostName
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: UserName
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: PublicKeyFile
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: :
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: PortNumber
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 22
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: WinSCP
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: A
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 10
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: B
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 11
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: C
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 12
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: D
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 13
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: E
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 14
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: F
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 15
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ABCDEF
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Flash FXP
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: IP
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: :
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: port
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: user
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: pass
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: quick.dat
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Sites.dat
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \FlashFXP\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \FlashFXP\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: FTP Navigator
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SystemDrive
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \FTP Navigator\Ftplist.txt
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Server
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: No Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: User
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SmartFTP
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: APPDATA
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: WS_FTP
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: appdata
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: HOST
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: UID
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: PWD
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: PWD=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: PWD=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: FtpCommander
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SystemDrive
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SystemDrive
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SystemDrive
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \cftp\Ftplist.txt
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ;Password=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ;User=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ;Server=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ;Port=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ;Port=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ;Password=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ;User=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ;Anonymous=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: :
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: FTPGetter
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \FTPGetter\servers.xml
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <server>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <server_ip>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <server_ip>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: </server_ip>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: :
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <server_port>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: </server_port>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <server_user_name>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <server_user_name>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: </server_user_name>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <server_user_password>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: <server_user_password>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: </server_user_password>
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: FTPGetter
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: The Bat!
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: appdata
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \The Bat!
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Account.CFN
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Account.CFN
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: zzz
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Becky!
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: DataDir
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Folder.lst
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Mailbox.ini
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Account
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: PassWd
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Account
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SMTPServer
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Account
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: MailAddress
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Becky!
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Outlook
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Email
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: IMAP Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: POP3 Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: HTTP Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SMTP Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Email
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Email
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Email
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: IMAP Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: POP3 Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: HTTP Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SMTP Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Server
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Windows Mail App
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 1
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Email
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Server
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SchemaId
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: pResourceElement
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: pIdentityElement
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: pPackageSid
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: pAuthenticatorElement
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: syncpassword
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: mailoutgoing
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: FoxMail
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Executable
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: FoxmailPath
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Storage\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Storage\
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \mail
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \mail
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Accounts\Account.rec0
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Accounts\Account.rec0
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Account.stg
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Account.stg
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: POP3Host
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SMTPHost
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: IncomingServer
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Account
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: MailAddress
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: POP3Password
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 5A
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 71
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Opera Mail
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: opera:
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor:
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: PocoMail
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: appdata
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Pocomail\accounts.ini
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Email
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: POPPass
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SMTPPass
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SMTP
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: eM Client
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: eM Client\accounts.dat
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: eM Client
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Accounts
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: "Username":"
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ",
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: "Secret":"
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ",
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: "ProviderName":"
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: ",
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: o6806642kbM7c5
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Mailbird
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: SenderIdentities
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Accounts
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: \Mailbird\Store\Store.db
Source: 5.2.txQleCu.exe.4561c18.7.unpack String decryptor: Server_Host
Uses 32bit PE files
Source: INVOICE_NO._29998172.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: INVOICE_NO._29998172.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: tSku.pdb source: INVOICE_NO._29998172.exe, txQleCu.exe.0.dr
Source: Binary string: tSku.pdbSHA256[ source: INVOICE_NO._29998172.exe, txQleCu.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 4x nop then jmp 0A6D75C3h 0_2_0A6D6A08
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 4x nop then jmp 0AAB75C3h 5_2_0AAB6A08

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49697 -> 5.100.152.24:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49697 -> 5.100.152.24:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49697 -> 5.100.152.24:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49697 -> 5.100.152.24:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49698 -> 5.100.152.24:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49698 -> 5.100.152.24:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49698 -> 5.100.152.24:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49698 -> 5.100.152.24:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 5.100.152.24:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 5.100.152.24:587
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: INVOICE_NO._29998172.exe, 00000006.00000002.629144860.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, txQleCu.exe, 0000000C.00000002.629486178.0000000002C40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gimpex-imerys.com
Source: INVOICE_NO._29998172.exe, 00000006.00000002.629144860.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp, txQleCu.exe, 0000000C.00000002.629486178.0000000002C40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.gimpex-imerys.com
Source: INVOICE_NO._29998172.exe, 00000000.00000002.398102973.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, txQleCu.exe, 00000005.00000002.437574152.0000000003341000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: INVOICE_NO._29998172.exe, 00000000.00000003.364564498.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364485994.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364509296.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364376733.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364528393.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agfamonotype.5
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: INVOICE_NO._29998172.exe, 00000000.00000003.363538297.0000000005DCC000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364528393.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.364115711.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: INVOICE_NO._29998172.exe, 00000000.00000003.363520351.0000000005DF4000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.363556816.0000000005DF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comitk
Source: INVOICE_NO._29998172.exe, 00000000.00000003.363657222.0000000005DD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comj
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: INVOICE_NO._29998172.exe, 00000000.00000003.366549798.0000000005DD5000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.365774175.0000000005DD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: INVOICE_NO._29998172.exe, 00000000.00000003.365970540.0000000005DCC000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.366153312.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.366056911.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.365997383.0000000005DCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlC
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: INVOICE_NO._29998172.exe, 00000000.00000003.365753646.0000000005DD6000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.365728088.0000000005DD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers:
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: INVOICE_NO._29998172.exe, 00000000.00000003.386928424.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comiona
Source: INVOICE_NO._29998172.exe, 00000000.00000003.386928424.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comttco
Source: INVOICE_NO._29998172.exe, 00000000.00000002.398030415.0000000001607000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.363028287.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: INVOICE_NO._29998172.exe, 00000000.00000003.363243179.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.363307593.0000000005DD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/t-F
Source: INVOICE_NO._29998172.exe, 00000000.00000003.363028287.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnhtn
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: INVOICE_NO._29998172.exe, 00000000.00000003.367109894.0000000005DD5000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: INVOICE_NO._29998172.exe, 00000000.00000003.360854011.0000000005DDB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.360864782.0000000005DDB000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.360830990.0000000005DDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: INVOICE_NO._29998172.exe, 00000000.00000003.360891857.0000000005DDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.compew
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: INVOICE_NO._29998172.exe, 00000000.00000002.403738185.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: mail.gimpex-imerys.com
Creates a DirectInput object (often for capturing keystrokes)
Source: INVOICE_NO._29998172.exe, 00000000.00000002.396629215.0000000001168000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: INVOICE_NO._29998172.exe
Uses 32bit PE files
Source: INVOICE_NO._29998172.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 5.2.txQleCu.exe.4561c18.7.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 12.2.txQleCu.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 5.2.txQleCu.exe.4561c18.7.raw.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 5.2.txQleCu.exe.45389f8.4.raw.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 5.2.txQleCu.exe.45389f8.4.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 5.2.txQleCu.exe.450b5d8.3.raw.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPE Matched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
Source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Detected potential crypto function
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 0_2_05356E10 0_2_05356E10
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 0_2_05356E00 0_2_05356E00
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 0_2_0A6D6A08 0_2_0A6D6A08
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 0_2_0A6D8018 0_2_0A6D8018
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 0_2_0A6D69F8 0_2_0A6D69F8
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 0_2_0A6D0040 0_2_0A6D0040
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 0_2_0A6D0012 0_2_0A6D0012
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 0_2_0A6D9FD8 0_2_0A6D9FD8
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 0_2_0A6D1D85 0_2_0A6D1D85
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_0196F0C0 5_2_0196F0C0
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_0196B1B4 5_2_0196B1B4
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_0196DA10 5_2_0196DA10
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_0196DA20 5_2_0196DA20
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_05806E10 5_2_05806E10
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_05806E00 5_2_05806E00
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_0AAB6A08 5_2_0AAB6A08
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_0AAB8018 5_2_0AAB8018
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_0AAB6A07 5_2_0AAB6A07
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_0AABA2F0 5_2_0AABA2F0
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_0AAB003F 5_2_0AAB003F
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_0AAB0040 5_2_0AAB0040
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_0AAB1D85 5_2_0AAB1D85
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 6_2_02E3C8F8 6_2_02E3C8F8
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 6_2_02E3A938 6_2_02E3A938
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 6_2_02E39D20 6_2_02E39D20
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 6_2_02E3A068 6_2_02E3A068
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 6_2_02E359D8 6_2_02E359D8
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 6_2_062C9680 6_2_062C9680
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 6_2_062C4020 6_2_062C4020
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 6_2_062C2C31 6_2_062C2C31
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 6_2_062C6638 6_2_062C6638
Sample file is different than original file name gathered from version info
Source: INVOICE_NO._29998172.exe, 00000000.00000000.358217407.0000000000A72000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenametSku.exe4 vs INVOICE_NO._29998172.exe
Source: INVOICE_NO._29998172.exe, 00000000.00000002.399658088.000000000407C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename848e54a8-d802-4186-a62a-e43bdbd99dfb.exe4 vs INVOICE_NO._29998172.exe
Source: INVOICE_NO._29998172.exe, 00000000.00000002.399658088.000000000407C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRegive.dll4 vs INVOICE_NO._29998172.exe
Source: INVOICE_NO._29998172.exe, 00000000.00000002.398102973.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename848e54a8-d802-4186-a62a-e43bdbd99dfb.exe4 vs INVOICE_NO._29998172.exe
Source: INVOICE_NO._29998172.exe, 00000000.00000002.406572369.00000000075F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRegive.dll4 vs INVOICE_NO._29998172.exe
Source: INVOICE_NO._29998172.exe, 00000000.00000002.396629215.0000000001168000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs INVOICE_NO._29998172.exe
Source: INVOICE_NO._29998172.exe, 00000006.00000002.627240721.000000000104A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs INVOICE_NO._29998172.exe
Source: INVOICE_NO._29998172.exe, 00000006.00000002.627137517.0000000000EF8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs INVOICE_NO._29998172.exe
Source: INVOICE_NO._29998172.exe Binary or memory string: OriginalFilenametSku.exe4 vs INVOICE_NO._29998172.exe
Source: INVOICE_NO._29998172.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: txQleCu.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: INVOICE_NO._29998172.exe ReversingLabs: Detection: 25%
Source: INVOICE_NO._29998172.exe Virustotal: Detection: 34%
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe File read: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Jump to behavior
Source: INVOICE_NO._29998172.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\INVOICE_NO._29998172.exe C:\Users\user\Desktop\INVOICE_NO._29998172.exe
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\txQleCu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmpEB82.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\txQleCu.exe C:\Users\user\AppData\Roaming\txQleCu.exe
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process created: C:\Users\user\Desktop\INVOICE_NO._29998172.exe C:\Users\user\Desktop\INVOICE_NO._29998172.exe
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmp3339.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process created: C:\Users\user\AppData\Roaming\txQleCu.exe C:\Users\user\AppData\Roaming\txQleCu.exe
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\txQleCu.exe Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmpEB82.tmp Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process created: C:\Users\user\Desktop\INVOICE_NO._29998172.exe C:\Users\user\Desktop\INVOICE_NO._29998172.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmp3339.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process created: C:\Users\user\AppData\Roaming\txQleCu.exe C:\Users\user\AppData\Roaming\txQleCu.exe Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\txQleCu.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\txQleCu.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe File created: C:\Users\user\AppData\Roaming\txQleCu.exe Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe File created: C:\Users\user\AppData\Local\Temp\tmpEB82.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/9@4/2
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: INVOICE_NO._29998172.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Mutant created: \Sessions\1\BaseNamedObjects\XnqqSrOjyYQnupRuSLWCZVFSe
Source: INVOICE_NO._29998172.exe, 00000000.00000003.367109894.0000000005DCD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ing.slnt
Source: INVOICE_NO._29998172.exe, 00000000.00000003.367013515.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.367056781.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, INVOICE_NO._29998172.exe, 00000000.00000003.366997958.0000000005DD0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rtising.slnt
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: INVOICE_NO._29998172.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: INVOICE_NO._29998172.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: INVOICE_NO._29998172.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: tSku.pdb source: INVOICE_NO._29998172.exe, txQleCu.exe.0.dr
Source: Binary string: tSku.pdbSHA256[ source: INVOICE_NO._29998172.exe, txQleCu.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: INVOICE_NO._29998172.exe, DekkerProject/FormMain.cs .Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: txQleCu.exe.0.dr, DekkerProject/FormMain.cs .Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.INVOICE_NO._29998172.exe.a70000.0.unpack, DekkerProject/FormMain.cs .Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Code function: 5_2_0196E760 pushfd ; ret 5_2_0196E779
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 6_2_02E3DA3B pushfd ; ret 6_2_02E3DA41
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 6_2_062C7978 pushad ; ret 6_2_062C7981
Source: initial sample Static PE information: section name: .text entropy: 7.762983884529855
Source: initial sample Static PE information: section name: .text entropy: 7.762983884529855
Drops PE files
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe File created: C:\Users\user\AppData\Roaming\txQleCu.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmpEB82.tmp
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\txQleCu.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 6880 Thread sleep time: -41202s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 6948 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6044 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 6052 Thread sleep time: -41202s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 6004 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 1920 Thread sleep count: 1858 > 30 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212 Thread sleep time: -99858s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212 Thread sleep time: -99732s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212 Thread sleep time: -99624s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212 Thread sleep time: -99515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212 Thread sleep time: -99384s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212 Thread sleep time: -99265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212 Thread sleep time: -99156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212 Thread sleep time: -99040s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212 Thread sleep time: -98921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe TID: 3212 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 6096 Thread sleep count: 1509 > 30
Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236 Thread sleep time: -99842s >= -30000s
Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236 Thread sleep time: -99713s >= -30000s
Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236 Thread sleep time: -99609s >= -30000s
Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236 Thread sleep time: -99500s >= -30000s
Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236 Thread sleep time: -99391s >= -30000s
Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236 Thread sleep time: -99277s >= -30000s
Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236 Thread sleep time: -99172s >= -30000s
Source: C:\Users\user\AppData\Roaming\txQleCu.exe TID: 3236 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9070 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Window / User API: threadDelayed 1858 Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Window / User API: threadDelayed 1509
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\txQleCu.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\txQleCu.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\txQleCu.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 41202 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 41202 Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 99858 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 99732 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 99624 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 99515 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 99384 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 99265 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 99156 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 99040 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 98921 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 99842
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 99713
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 99609
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 99500
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 99391
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 99277
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 99172
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Thread delayed: delay time: 922337203685477
Source: txQleCu.exe, 0000000C.00000002.627295234.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: INVOICE_NO._29998172.exe, 00000006.00000002.627240721.00000000010AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\txQleCu.exe
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\txQleCu.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\txQleCu.exe Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmpEB82.tmp Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Process created: C:\Users\user\Desktop\INVOICE_NO._29998172.exe C:\Users\user\Desktop\INVOICE_NO._29998172.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txQleCu" /XML "C:\Users\user\AppData\Local\Temp\tmp3339.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Process created: C:\Users\user\AppData\Roaming\txQleCu.exe C:\Users\user\AppData\Roaming\txQleCu.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Users\user\Desktop\INVOICE_NO._29998172.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Queries volume information: C:\Users\user\AppData\Roaming\txQleCu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Users\user\Desktop\INVOICE_NO._29998172.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Queries volume information: C:\Users\user\AppData\Roaming\txQleCu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Code function: 6_2_02E3F650 GetUserNameW, 6_2_02E3F650

Stealing of Sensitive Information
barindex
Yara detected zgRAT
Source: Yara match File source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000006.00000002.629144860.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.629486178.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INVOICE_NO._29998172.exe PID: 6032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: txQleCu.exe PID: 6656, type: MEMORYSTR
Source: Yara match File source: 5.2.txQleCu.exe.4561c18.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.txQleCu.exe.4561c18.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.txQleCu.exe.45389f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.txQleCu.exe.45389f8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.txQleCu.exe.450b5d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.399658088.000000000407C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.440863847.000000000450B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.399658088.0000000004975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\INVOICE_NO._29998172.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\txQleCu.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\txQleCu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000002.629144860.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.629486178.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INVOICE_NO._29998172.exe PID: 6032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: txQleCu.exe PID: 6656, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected zgRAT
Source: Yara match File source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000006.00000002.629144860.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.629486178.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: INVOICE_NO._29998172.exe PID: 6032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: txQleCu.exe PID: 6656, type: MEMORYSTR
Source: Yara match File source: 5.2.txQleCu.exe.4561c18.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.txQleCu.exe.4561c18.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.txQleCu.exe.45389f8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.txQleCu.exe.45389f8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.txQleCu.exe.450b5d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE_NO._29998172.exe.40a93e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.INVOICE_NO._29998172.exe.40d2600.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.399658088.000000000407C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.440863847.000000000450B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.399658088.0000000004975000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 876157 Sample: INVOICE_NO._29998172.exe Startdate: 26/05/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 8 other signatures 2->53 7 INVOICE_NO._29998172.exe 7 2->7         started        11 txQleCu.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\txQleCu.exe, PE32 7->31 dropped 33 C:\Users\user\...\txQleCu.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpEB82.tmp, XML 7->35 dropped 37 C:\Users\...\INVOICE_NO._29998172.exe.log, ASCII 7->37 dropped 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 INVOICE_NO._29998172.exe 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 21 txQleCu.exe 2 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 gimpex-imerys.com 5.100.152.24, 49697, 49698, 587 PUBLIC-DOMAIN-REGISTRYUS United Kingdom 13->39 41 mail.gimpex-imerys.com 13->41 43 192.168.2.1 unknown unknown 13->43 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        45 mail.gimpex-imerys.com 21->45 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->65 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal browser information (history, passwords, etc) 21->69 29 conhost.exe 23->29         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.100.152.24
 gimpex-imerys.com United Kingdom
394695 PUBLIC-DOMAIN-REGISTRYUS true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
gimpex-imerys.com 5.100.152.24 true
mail.gimpex-imerys.com unknown unknown